Remotely accessing admin shares on Windows 10
I’m sure I have come across this issue before but never cared to document it here on my blog. And when I do that, I am sure to trip up again and forget what I did to fix it. So this time, I’m going to make sure I put it here for my own benefit.
I installed Windows 10 recently to replace aging Windows Server 2012 R2 Essentials which was serving as DLNA server to my TV, Xbox One and other DLNA clients in my home. Once installed, I wanted to access D drive where I store all my family photos and videos. How difficult would it be once I made sure the firewall wasn’t blocking file and print services? But was I wrong!! I tried to browser \\windows10\d$ and got login prompt as expected. I happily provided it with my credentials, which happened to be the only user on the Windows 10 machine and also happened to be an admin account. To my surprise, I got an error “access is denied”!!!
I remembered this had happened before on Windows 8 and I vaguely remembered I had to do something, but what I did was escaping me. After firing up a search, I came across many articles. TechNet article “You Encounter Unexpected Behavior When You Log on to a Remote Computer and UAC Is Enabled” was one of them.
Now I realized what UAC did to admin accounts. It restricts admin users to standard user equivalent to prevent “loopback” attacks carried out remotely from network. By treating users who are members of local Administrators group, UAC tries to protect against such attacks. However, the problem with that is, I can’t access administrative shares remotely anymore! I must either explicitly create shares I want to access remotely and provide permissions to the account I want to use (even if it is an account with Administrator permissions.
If I want to access administrative shares, I must change system polity to disable token filtering. By disabling LocalAccountTokenFilterPolicy, I am instructing UAC to not filter out Admin SIDs and reduce them to regular user.
While I am not recommending you do so, I am only documenting what needs to be done if I want to do so. To disable UAC remote restrictions, create or edit DWORD key LocalAccountTokenFilterPolicy in registry at the following location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System. Set the value of LocalAccountTokenFilterPolicy to 1 and you should be able to access admin shares such as C$ remotely with your admin accounts.
P.S. I must also thank Helge Klein whose very informative post helped me understand the problem. https://helgeklein.com/blog/2011/08/access-denied-trying-to-connect-to-administrative-shares-on-windows-7/